Colleagues In Cuffs: When Employees Steal Patient Records

The Queens County DA recently arrested two Jamaica Hospital employees for stealing patient data, a lucrative crime occurring at hospitals across the nation.

The Queens, N.Y., district attorney recently charged two employees of Jamaica Hospital Medical Center with illegally accessing emergency room patients' medical records and personal identification information, and selling that data to individuals who then solicited services such as outpatient care or legal assistance -- sometimes while patients were still in the ER.

“These defendants are accused of blatantly violating their HIPAA obligations and illegally trolling through confidential patient records. Their alleged actions led to patients who were seeking treatment for injuries unwittingly being victimized again with the illegal release of their personal information and medical records," said DA Richard Brown, in a statement.

Defendants Maritza Amador, 44, and Dache Prawl, 45, were registrars at the Queens, N.Y., hospital's ER. Allegedly the duo illegally accessed personal information, including Social Security numbers and medical data, and passed that information to people who falsely represented themselves as representatives of the hospital to patients. These individuals offered transportation to outpatient therapy, attorney services related to car accident injuries, and follow-up medical treatment, the DA charges. They were released without bail and their next court date is May 20, the Queens County DA's office told InformationWeek.

The Health Insurance Portability and Accountability Act (HIPAA) and the regulations that have grown up around it set high standards. Yet this is not the first -- and, no doubt, won't be the last -- time employees allegedly stole patient data.

In May 2013, a physician and office worker reportedly quit Pensacola, Fla.-based Sight and Sun Eyeworks without notice; they allegedly took with them 9,000 patient records and Social Security numbers, which they used to reschedule patients' appointments at their new practice, local media reported.

In San Francisco, a city employee allegedly sent the confidential data of about 2,500 Medi-Cal recipients to her home computer in an effort to combat her dismissal for "poor performance." The worker's attorneys and union representatives also saw the data, which included patient information and Social Security numbers. In another case, a former benefits clerk for United Healthcare Workers West was sentenced to 12 years and four months in prison for stealing the data of about 30,000 union employees of Kaiser Permanente in California. Crooks used the data to buy merchandise valued at more than $1 million, according to a published report.

A Miami respiratory therapist reportedly sold patients' personal information for up to $150 per person; buyers then used the data to illegally file and claim patients' tax returns, Florida media said. Tallahassee Memorial Hospital offered identity protection services to more than 100 patients after discovering a hospital employee illegally accessed data for a fraudulent tax scheme.

Despite many instances of malicious breaches, 75% of healthcare organizations believe employee negligence is their biggest security concern, according to the Fourth Annual Ponemon Report on Patient Privacy and Data Security. In 2013, 12% of organizations reported a malicious insider breached patient security, compared with 14% in both 2012 and 2011, the research firm said. The average cost of a data breach last year? Almost $2 million, down slightly from the prior year, Ponemon estimated.

Healthcare organizations will spend about $70 billion on security in 2017, a whopping 75% increase from $40 billion in 2012, according to the Boyd Company. Yet protecting data from greedy, careless, or disgruntled employees is, in some ways, more challenging than safeguarding records from external threats.

IT departments must ensure users only access records necessary for their roles and responsibilities, promptly changing authorizations when an employee's job changes and cutting off all access when an employee leaves the organization.

In addition, managers, colleagues, and human resource departments -- as well as monitoring tools and alarms -- must put extra focus on unhappy employees. A mindboggling 85% of employees are not satisfied with their jobs and only 13% are actively engaged, according to Gallup's "State of the Global Workplace" report. Of those dissatisfied employees, 24% are "actively disengaged," meaning they proactively undermine colleagues' work and, perhaps, help themselves to patient data to pad their bank accounts or wreak havoc on their employer.

Installing firewalls and locking down databases doesn't work if thieves have the keys or designed the infrastructure. To secure patient data, IT must ensure information is safe from everyone, even colleagues in the department across the hall.

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Thinkreport today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Studies have shown money isn't always the most important part of keeping employees happy and engaged. That said, people should (IMHO) earn a livable wage, especially when they're in a career that's involved training and education.

Employees don't need to be unhappy, greedy or unethical to cause a data breach – information that is lost, stolen or compromised – just misinformed.

The amount of information stolen by employees is a fraction of the information lost during the computer recycling process. Why? Companies usually rely on low-level employees to dispose of old IT equipment. In turn, those employees rely on the local electronic recycling company to remove equipment and, only as a secondary part of the process, erase or destroy hard drives.

One of the most common causes of data getting in the wrong hands is NOT the loss of mobile devices. Research has shown that up to 30% of computer equipment purchased in the secondary market – think eBay – contains confidential information. There are currently 115,000 used hard drives listed on eBay, which does not include whole PCs, laptops, servers and storage equipment. The math does not look good for secure data.

One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.

"Installing firewalls and locking down databases doesn't work if thieves have the keys or designed the infrastructure."

Another reason to keep IT staff happy!

But seriously, worker unhappiness is often a hard thing for even the most conscientious managers to detect. An employee could be unhappy but also quite competent and good at concealing his or her emotions. Displays of "active disengagement" and undermining others work are the real red flags and that's where a smart, observant manager is the company's best ally. At the same time, IT must fortify the hospitals systems and only allow employees access to the data they need for their jobs. And also monitor suspicious activity regularly. As Allison mentioned in her comment, savvy managers and strong tech are the best medicine.

Well, anyone trying to get by on $12 an hour is bound to be unsatisfied and unhappy, so that means that almost everyone is a "suspect". There's a lesson to be had here, and that is, you can and should tighten up computer system security, but you can't control the human heart.

I am not sure, but that's a great question. Just because employees are unhappy, it doesn't automatically mean they'll go on to do something unethical, either. Most unhappy workers will either stay where they are or start looking for new employment. It's only a certain percentage that will proactively sabotage their organization.

In reading and writing about this in the past, a lot comes back to strong, good managers who know their teams and can sense when something is amiss. It also involves implementing the right technology tools to ensure individuals are accessing only the data they need, as often as they need to, and that alarms go off when someone appears to be doing something odd -- copying info, sharing data, accessing info they don't need, etc. It's more difficult when IT is the one doing the misdeeds, of course, but the combo of savvy managers, well-trained employees who are alert to oddities (like a $12/hour colleague who drives a 2014 Porsche and wears Armani), and strong tech will help.

Is there any science to identifying the unhappy/disengaged employees who might be the source of patient data theft problems? Is unhappiness really the key? I'd think some sort of psychological screening for ethical thinking would be more important. But I don't know how you measure either happiness or ethics on an ongoing basis, other than to pay attention to those individuals who are openly grumbling.

Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.